4.
Why is Network Security Important?
• Computer networks have grown in both size and importance
in a very short time. If the security of the network is
compromised, there could be serious consequences, such
as loss of privacy, theft of information, and even legal
liability. To make the situation even more challenging, the
types of potential threats to network security are always
evolving.
4

10.
Developing a Security Policy
• The first step any organization should take to
protect its data and itself from a liability
challenge is to develop a security policy: a
set of principles that guide decision-making
processes and enable leaders in an
organization to distribute authority confidently.
• A security policy meets these goals:
– Informs users, staff, and managers of their
obligatory requirements for protecting
technology and information assets
– Specifies the mechanisms through which these requirements can be
met
– Provides a baseline from which to acquire, configure, and audit
computer systems and networks for compliance with the policy
• A security policy can be as simple as a brief Acceptable Use Policy for
network resources, or it can be several hundred pages long and detail
every element of connectivity and associated policies.
10

12.
Common Security Threats
• When discussing network security, three common factors are
vulnerability, threat, and attack.
Vulnerability
• Vulnerability is the degree of weakness which is inherent in
every network and device.
• There are three primary vulnerabilities or weaknesses:
– Technological weaknesses
– Configuration weaknesses
– Security policy weaknesses
12

20.
Common Security Threats: Threats to
Networks
• Threats to Networks: four primary classes
• Unstructured Threats : consist of mostly inexperienced
individuals using easily available hacking tools. An attacker's
skills can do serious damage to a network.
• Structured Threats: come from individuals or groups that
are more highly motivated and technically competent. These
people know system vulnerabilities and use sophisticated
hacking techniques to penetrate unsuspecting businesses.
• External Threats: arise from individuals or organizations
working outside of a company who do not have authorized
access to the computer systems or network.
• Internal Threats: occur when someone has authorized
access to the network with either an account or physical
access.
20

21.
Common Security Threats: Social
Engineering
• The easiest hack involves no computer skill at all.
• Social engineering: an intruder can trick a member of an
organization into giving over valuable information, such as
the location of files or passwords.
• Phishing is a type of social engineering attack that involves
using e-mail or other types of messages in an attempt to trick
others into providing sensitive information, such as credit
card numbers or passwords.
• Phishing attacks can be prevented by educating users and
implementing reporting guidelines when they receive
suspicious e-mail.
21

22.
Types of Network Attacks
• Reconnaissance
– Is the unauthorized discovery and mapping of systems,
services, or vulnerabilities.
– It is also known as information gathering and, in most
cases, it precedes another type of attack.
• Access
– Is the ability for an intruder to gain access to a device for
which the intruder does not have an account or a
password.
• Denial of service (DoS)
– Is when an attacker disables or corrupts networks,
systems, or services with the intent to deny services to
intended users.
• Worms, Viruses, and Trojan Horses
22

23.
Reconnaissance Attacks
• Reconnaissance attacks can consist of the following:
– Internet information queries
– Ping sweeps
– Port scans
– Packet sniffers
• The information gathered by eavesdropping can be used to
pose other attacks to the network.
• Two common uses of eavesdropping are as follows:
– Information gathering: Network intruders can identify
usernames, passwords, or information carried in a packet.
– Information theft: The theft can occur as data is
transmitted over the internal or external network. The
network intruder can also steal data from networked
computers by gaining unauthorized access.
23

24.
Reconnaissance Attacks
• Three of the most effective methods for counteracting
eavesdropping are as follows:
– Using switched networks instead of hubs so that traffic
is not broadcast to all endpoints or network hosts.
– Using encryption that meets the data security needs of
the organization without imposing an excessive burden on
system resources or users.
– Implementing and enforcing a policy directive that forbids
the use of protocols with known susceptibilities to
eavesdropping.
• Encryption provides protection for data susceptible to
eavesdropping attacks, password crackers, or manipulation.
24

25.
Access Attacks
• Access attacks exploit known vulnerabilities in authentication
services, FTP services, and web services to gain entry to
web accounts, confidential databases, and other sensitive
information.
• Password Attacks:
– Implemented using a packet sniffer to yield user accounts
and passwords that are transmitted as clear text.
– Use programs repeatedly attempt to log in as a user using
words derived from a dictionary.
– Another password attack method uses rainbow tables.
– A brute-force attack tool is more sophisticated 25

26.
Access Attacks
• Trust Exploitation
– To compromise a trusted host, using it to stage attacks on
other hosts in a network.
– Trust exploitation-based attacks can be mitigated through
tight constraints on trust levels within a network.
26

28.
Access Attacks
• Man-in-the-Middle Attack:
– Is carried out by attackers that manage to position
themselves between two legitimate hosts.
– The transparent proxy: a popular method of MITM.
28

29.
DoS Attacks
• DoS attacks:
– Are the most publicized form of attack and also among
the most difficult to eliminate.
– DoS attacks take many forms
29

30.
DoS Attacks
• Ping of Death:
– It took advantage of vulnerabilities in older operating
systems.
– This attack modified the IP portion of a ping packet
header to indicate that there is more data in the packet
than there actually was.
• SYN Flood:
– Exploits the TCP
three-way
handshake.
30

32.
DoS Attacks
DDos Attacks (cont.)
• There are three components to a DDoS attack.
– There is a Client who is typically a person who launches
the attack.
– A Handler is a compromised host that is running the
attacker program and each Handler is capable of
controlling multiple Agents
– An Agent is a compromised host that is running the
attacker program and is responsible for generating a
stream of packets that is directed toward the intended
victim
• Examples of DDoS attacks include the following: SMURF
attack, Tribe flood network (TFN), Stacheldraht, MyDoom
32

34.
Malicious Code Attacks: Worms
• The enabling vulnerability: A worm installs itself by exploiting
known vulnerabilities in systems, such as naive end users who
open unverified executable attachments in e-mails.
• Propagation mechanism: After gaining access to a host, a worm
copies itself to that host and then selects new targets.
• Payload: Once a host is infected with a worm, the attacker has
access to the host, often as a privileged user. Attackers could use
a local exploit to escalate their privilege level to administrator.
34

35.
Malicious Code Attacks: Worms
• Worm attack mitigation requires diligence on the part of
system and network administration staff.
• The following are the recommended steps for worm attack
mitigation:
– Containment: Contain the spread of the worm in and
within the network. Compartmentalize uninfected parts of
the network.
– Inoculation: Start patching all systems and, if possible,
scanning for vulnerable systems.
– Quarantine: Track down each infected machine inside
the network. Disconnect, remove, or block infected
machines from the network.
– Treatment: Clean and patch each infected system. Some
worms may require complete core system reinstallations
to clean the system.
35

36.
Malicious Code Attacks: Viruses and Trojan
Horses
• A virus is malicious software that is attached to another
program to execute a particular unwanted function on a
workstation.
• A Trojan horse is different only in that the entire application
was written to look like something else, when in fact it is an
attack tool.
36

37.
Host and Server Based Security
• Device Hardening
– Default usernames and passwords should be changed
immediately.
– Access to system resources should be restricted to only
the individuals that are authorized to use those resources.
– Any unnecessary services and applications should be
turned off and uninstalled, when possible.
• Antivirus Software
– It scans files, comparing their contents to known viruses
in a virus dictionary. Matches are flagged in a manner
defined by the end user.
– It monitors suspicious processes running on a host that
might indicate infection. This monitoring may include data
captures, port monitoring, and other methods.
37

39.
Intrusion Detection and Prevention
• Intrusion detection systems (IDS) detect attacks against a
network and send logs to a management console.
• Intrusion prevention systems (IPS) prevent attacks
against the network and should provide the following active
defense mechanisms in addition to detection:
– Prevention: Stops the detected attack from executing.
– Reaction: Immunizes the system from future attacks from
a malicious source. 39

40.
Intrusion Detection and Prevention
Host-based Intrusion Detection Systems
• Implemented as inline or passive technology
• Passive technology, which was the first generation
technology, is called a host-based intrusion detection
system (HIDS). HIDS sends logs to a management console
after the attack has occurred and the damage is done.
• Inline technology, called a host-based intrusion
prevention system (HIPS), actually stops the attack,
prevents damage, and blocks the propagation of worms and
viruses.
40

44.
The Network Security Wheel
• Most security incidents occur because system
administrators do not implement available
countermeasures, and attackers or disgruntled
employees exploit the oversight.
• The Security Wheel has proven to be an effective approach.
• The Security Wheel promotes retesting and reapplying
updated security measures on a continuous basis.
• A security policy includes the following:
– Identifies the security objectives of the organization.
– Documents the resources to be protected.
– Identifies the network infrastructure with current maps and
inventories.
– Identifies the critical resources that need to be protected,
such as research and development, finance, and human
resources. This is called a risk analysis.
44

47.
The Enterprise Security Policy
• A security policy is a set of guidelines established to
safeguard the network from attacks, both from inside and
outside a company.
• Security policy benefits:
– Provides a means to audit existing network security and
compare the requirements to what is in place.
– Plan security improvements, including equipment,
software, and procedures.
– Defines the roles and responsibilities of the company
executives, administrators, and users.
– Defines which behavior is and is not allowed.
– Defines a process for handling network security incidents.
– Enables global security implementation and enforcement
by acting as a standard between sites.
– Creates a basis for legal action if necessary.
47

48.
Functions of a Security Policy
• Functions of a Security Policy:
• The security policy is for everyone, including employees,
contractors, suppliers, and customers who have access to
the network.
48

52.
Router Security Issues
The Role of Routers in Network Security
• Routers fulfill the following roles:
– Advertise networks and filter who can use them.
– Provide access to network segments and subnetworks.
52

53.
Routers are Targets
• Routers provide gateways to other networks, they are
obvious targets, and are subject to a variety of attacks.
– Compromising the access control can expose network
configuration details, thereby facilitating attacks against
other network components.
– Compromising the route tables can reduce performance,
deny network communication services, and expose
sensitive data.
– Misconfiguring a router traffic filter can expose internal
network components to scans and attacks, making it
easier for attackers to avoid detection.
• Attackers can compromise routers in different ways: trust
exploitation attacks, IP spoofing, session hijacking, and
MITM attacks
53

58.
Securing Administrative Access to Routers
• Network administrators can
connect to a router or switch
locally or remotely.
• Local access through the
console port:
– Is secure
– Can become overwhelming
• Remote administrative access:
– May be not secure
– To secure: secure the administrative lines (VTY, AUX),
then you will configure the network device to encrypt
traffic in an SSH tunnel.
58

59.
Remote Administrative Access with Telnet
and SSH
• Having remote access to network devices is critical for
effectively managing a network.
• Remote access typically involves allowing Telnet, Secure
Shell (SSH), HTTP, HTTP Secure (HTTPS), or SNMP
connections to the router from a computer on the same
internetwork as the router.
• If remote access is required, your options are as follows:
– Establish a dedicated management network.
– Encrypt all traffic between the administrator computer and
the router.
59

61.
Implementing SSH to Secure Remote
Administrative Access
• Telnet traffic is forwarded in plain text, uses port TCP 23
• SSH has replaced Telnet, uses port TCP 22
• Not all Cisco IOS images support SSH. Typically, these images have
image IDs of k8 or k9 in their image names.
• The SSH terminal-line access feature enables administrators to configure
routers with secure access and perform the following tasks:
– Connect to a router that has multiple terminal lines connected to
consoles or serial ports of other routers, switches, and devices.
– Simplify connectivity to a router from anywhere by securely
connecting to the terminal server on a specific line.
– Allow modems attached to routers to be used for dial-out securely.
– Require authentication to each of the lines through a locally defined
username and password, or a security server such as a TACACS+ or
RADIUS server.
61

67.
Vulnerable Router Services and Interfaces
• Services which should typically be disabled are:
– Small services such as echo, discard, and chargen - Use the no
service tcp-small-servers or no service udp-small-servers
command.
– BOOTP - Use the no ip bootp server command.
– Finger - Use the no service finger command.
– HTTP - Use the no ip http server command.
– SNMP - Use the no snmp-server command.
– Cisco Discovery Protocol (CDP) - Use the no cdp run command.
– Remote configuration - Use the no service config command.
– Source routing - Use the no ip source-route command.
– Classless routing - Use the no ip classless command.
– Unused interfaces - Use the shutdown command.
– No SMURF attacks - Use the no ip directed-broadcast command.
– Ad hoc routing - Use the no ip proxy-arp command.
67

69.
Securing Routing Protocols
Routing systems can be
attacked in two ways:
• Disruption of peers
• Falsification of routing
information
• The best way to protect
routing information on the
network is to authenticate
routing protocol packets using message digest algorithm 5
(MD5).
69

76.
Cisco SDM Overview
• What is Cisco SDM?
• Security Device Manager (SDM) is an easy-to-use, web-
based device-management tool designed for configuring
LAN, WAN, and security features on Cisco IOS software-
based routers.
• The SDM files can be
installed on the router,
a PC, or on both.
• Advantage: it saves
router memory, and
allows to manage other
routers on the network.
76

79.
Starting Cisco SDM
• Cisco SDM is stored in the router flash memory. It can also
be stored on a local PC.
• To launch the Cisco SDM use the HTTPS
protocol and put the IP address of the
router into the browser.
79

93.
Maintaining Cisco IOS Software Images
• Periodically, the router requires updates to be loaded to
either the operating system or the configuration file to fix
known security vulnerabilities, support new features that
allow more advanced security policies, or improve
performance.
93

94.
Maintaining Cisco IOS Software Images
• Cisco recommends following a four-phase migration process
to simplify network operations and management.
– Plan: Set goals, identify resources, profile network
hardware and software, and create a preliminary
schedule for migrating to new releases.
– Design: Choose new Cisco IOS releases and create a
strategy for migrating to the releases.
– Implement: Schedule and execute the migration.
– Operate: Monitor the migration progress and make
backup copies of images that are running on your
network.
94

95.
Maintaining Cisco IOS Software Images
• There are a number of tools available on Cisco.com to aid in migrating
Cisco IOS software.
• The following tools do not require a Cisco.com login:
– Cisco IOS Reference Guide: Covers the basics of the Cisco IOS
software family
– Cisco IOS software technical documents: Documentation for each
release of Cisco IOS software
– Software Center: Cisco IOS software downloads
• The following tools require valid Cisco.com login accounts:
– Bug Toolkit: Searches for known software fixes based on software
version, feature set, and keywords
– Cisco Feature Navigator: Finds releases that support a set of
software features and hardware, and compares releases
– Software Advisor: Compares releases, matches Cisco IOS software
and Cisco Catalyst OS features to releases, and finds out which
software release supports a given hardware device
– Cisco IOS Upgrade Planner: Finds releases by hardware, release,
and feature set, and downloads images of Cisco IOS software
95

96.
Managing Cisco IOS Images
Cisco IOS File Systems and Devices
• You have to be able to save, back up, and restore
configuration and IOS images.
• Use show file system command
96

110.
Recovering a Lost Router Password
• Step 1. Connect to the console port.
• Step 2. If you have lost the enable password, you would still
have access to user EXEC mode.
• Step 3. Use the power switch to turn off the router, and then
turn the router back on.
• Step 4. Press Break on the terminal keyboard within 60
seconds of power up to put the router into ROMmon.
• Step 5. Type confreg 0x2142 at the rommon 1> prompt. This
causes the router to bypass the startup configuration where
the forgotten enable password is stored.
• Step 6. Type reset at the rommon 2> prompt. The router
reboots, but ignores the saved configuration.
110

111.
Recovering a Lost Router Password
• Step 7. Type no after each setup question, or press Ctrl-C to
skip the initial setup procedure.
• Step 8. Type enable at the Router> prompt. This puts you
into enable mode, and you should be able to see the
Router# prompt.
• Step 9. Type copy startup-config running-config to copy the
NVRAM into memory.
• Step 10. Type show running-config.
• Step 11. Type configure terminal. The hostname(config)#
prompt appears.
• Step 12. Type enable secret password to change the enable
secret password.
111

112.
Recovering a Lost Router Password
• Step 13. Issue the no shutdown command on every interface
that you want to use. You can issue a show ip interface brief
command to confirm that your interface configuration is
correct. Every interface that you want to use should display
up up.
• Step 14. Type config-registerconfiguration_register_setting.
The configuration_register_setting is either the value you
recorded in Step 2 or 0x2102 . For example:
• R1(config)#config-register 0x2102
• Step 15. Press Ctrl-Z or type end to leave configuration
mode. The hostname# prompt appears.
• Step 16. Type copy running-config startup-config to commit
the changes.
112